Employee-Related Security Risks Are Addressed in our Latest Ponemon Institute Study

Published: June 1, 2016 by Michael Bruemmer


What keeps your cyber security team up at night, and does it weigh equally on the minds of managers? Do they lose sleep worrying about malicious attacks from outside your organization? Or do they fear a careless employee will leave a laptop in an unlocked car or use an unsecured personal mobile device to access proprietary company information?

Employee-related security risks are the top concern for security professionals, our new study, Managing Insider Risk Through Training & Culture, found. The Ponemon Institute polled more than 600 information security professionals at companies that have a data protection and privacy training program. The study found that while 55 percent of those surveyed have already had a malicious or negligent employee cause a security incident, few are taking adequate steps to improve security from within.

Not on the same page

One reason for this could be the imbalance between how the IT department perceives employee risk and how the C-suite does. While 66 percent of security professionals view employee-related risk as the biggest security threat, just 35 percent of them say their senior managers share that view. They may also feel less able to catch slip-ups versus intentional acts; security pros are far more concerned that an employee will unintentionally cause an incident than they are about workers potentially perpetrating malicious attacks.

Often, companies focus their cyber security efforts on preventing, catching and remedying intentional attacks. And while they can do much to reduce the risk of employees unintentionally causing an incident, few companies are doing everything they can. Less than half (46 percent) of the surveyed companies require cyber security training for all employees, and 60 percent don’t make employees retrain after a data breach.

Actionable suggestions for teachable moments

The problem of employee-related security risks is not unsolvable. Companies need to take steps to create a culture of security at every level of their organizations. These steps should include:

  • Requiring mandatory advanced-level training for all full and part-time employees and contract workers. Typically, companies that do provide training don’t require it for all employees, or they take a tiered approach that fails to provide all employees with a comprehensive understanding of the risks. Our study found just 43 percent of companies provide only one basic course for all employees. Basic courses often omit significant risks that can lead to a data breach. What’s more, retraining needs to occur on an ongoing basis, as new threats emerge in the cyber security realm. Retraining is especially important following a breach, when employees’ awareness of cyber security risks is highest.
  • Establishing and enforcing a system of carrots and sticks. More than half (56 percent) of companies deal with an employee’s careless handling of data by having that employee meet one-on-one with a superior, and 51 percent have them meet with an IT security person. Less than half (45 percent) give formal reprimands, 19 percent demote the employee, and 16 percent cut salary, bonuses or incentives. However, sticks are only half the solution. Companies also need to incentivize employees to be cognizant of cyber security and few are doing a good job of it. In fact, 67 percent do nothing at all to encourage employees to proactively protect data.

Employees should be a company’s greatest asset. With the right training and an ongoing emphasis on cyber security, every member of your corporate team can help reduce your organization’s risk of a negligence-related cyber security incident.  To download the complimentary report, visit http://bit.ly/22vZ31n.